b'         U.S. Department of Energy\n         Office of Inspector General\n         Office of Audit Services\n\n\n\n\nEvaluation Report\nThe Federal Energy Regulatory\nCommission\'s Unclassified Cyber\nSecurity Program \xe2\x80\x93 2010\n\n\n\n\nOAS-M-11-01                            October 2010\n\x0c                                 Department of Energy\n                                    Washington, DC 20585\n                                        October 25, 2010\n\n\nMEMORANDUM FOR THE CHAIRMAN, FEDERAL ENERGY REGULATORY\n               COMMISSION\n\n\n\nFROM:                    Rickey R. Hass\n                         Deputy Inspector General for Audit Services\n                         Office of Inspector General\n\nSUBJECT:                 INFORMATION: Evaluation Report on "The Federal\n                         Energy Regulatory Commission\'s Unclassified Cyber Security\n                         Program \xe2\x80\x93 2010"\n\nBACKGROUND\n\nThe Federal Energy Regulatory Commission (Commission) is responsible for regulating and\noverseeing the interstate transmission of natural gas, oil and electricity in addition to numerous\nother natural gas and hydroelectric projects. The regulations set forth by the Commission are\ndesigned to meet the economic, environmental and safety interests of the Nation. The\nCommission gathers and analyzes massive amounts of data regarding the energy markets, using a\nwide range of information technology (IT) resources. As with other Federal agencies or private\ninstitutions, the threat of a breach or loss of IT assets or information they contain continues to\nincrease as cyber attacks become more sophisticated and prevalent. To protect against such\nthreats, the Commission expected to spend over $3.5 million during Fiscal Year (FY) 2010 to\nsecure its IT assets.\n\nThe Federal Information Security Management Act of 2002 (FISMA) provides direction to\nagencies on the management and oversight of information security risks. Under FISMA\'s\nrequirements, the Office of Inspector General conducts an annual independent evaluation to\ndetermine if the Commission\'s unclassified cyber security program is properly aligned with\nFISMA. This report presents the results of our evaluation for FY 2010.\n\nRESULTS OF EVALUATION\n\nThe Commission had taken actions to significantly improve its cyber security posture and\nmitigate risks associated with each of the four weaknesses we identified during our FY 2009\nevaluation. Testing during our current evaluation, however, revealed that additional action is\nneeded to improve protection of information systems and data. Specifically, we found that\nsecurity patches needed to resolve known vulnerabilities discovered during regularly scheduled\nscans were not applied to all workstations in a timely manner. In addition, even though officials\nhad established an automated mechanism for tracking all known vulnerabilities, only ten percent\nof the identified "high risk" vulnerabilities were actually being tracked.\n\x0c                                                 2\n\n\nThe problems we identified with the Commission\'s unclassified cyber security program were\ndue, in part, to the less than fully effective implementation of policies and procedures.\nSpecifically, contrary to established Commission policies, officials failed to formally accept the\nrisks associated with not addressing known software vulnerabilities. As such, the risk to the\nagency\'s information systems and data remained higher than necessary.\n\nSince the completion of the FY 2009 evaluation, the Commission had made significant progress\nin the enhancement of its unclassified cyber security program. For example, officials had taken\naction to address each of the weaknesses we identified in the prior year related to account\nmodification and monitoring, network account management, and protection of sensitive\ninformation. In addition, the Commission enhanced its plan of action and milestones database to\ninclude more specificity to help manage the cyber security program. These actions are positive;\nhowever, additional effort is needed to help strengthen the protection of the Commission\'s\ninformation systems and data. As such, we have made a recommendation that, if fully\nimplemented, should help the Commission further improve its cyber security posture.\n\nOur evaluation also revealed an issue related to maintenance of the Commission\'s IT inventory\nthat is more fully discussed in Appendix 1.\n\nDue to security considerations, information on specific vulnerabilities has been omitted from this\nreport. However, management officials have been provided with detailed information regarding\nidentified vulnerabilities, and in certain instances, initiated or completed corrective action.\n\nMANAGEMENT REACTION\n\nManagement concurred with the report\'s recommendation and disclosed that it had initiated\nactions to address issues identified in our report. Management\'s comments are included in their\nentirety in Appendix 4.\n\nAttachment\n\ncc:    Deputy Secretary\n       Executive Director, Federal Energy Regulatory Commission\n       Chief of Staff\n\x0cEVALUATION REPORT ON THE FEDERAL ENERGY\nREGULATORY COMMISSION\'S UNCLASSIFIED CYBER\nSECURITY PROGRAM \xe2\x80\x93 2010\n\nTABLE OF\nCONTENTS\n\n\nCommission\'s Unclassified Cyber Security Program\n\nDetails of Finding ................................................................................................................1\n\nRecommendation and Comments ........................................................................................3\n\n\nAppendices\n\n1.    Other Matters for Consideration...................................................................................4\n\n2.    Objective, Scope, and Methodology ............................................................................5\n\n3.    Related Reports ............................................................................................................7\n\n4.    Management Comments ...............................................................................................8\n\x0cThe Federal Energy Regulatory Commission\'s Unclassified Cyber\nSecurity Program \xe2\x80\x93 2010\n\nProgram               The Federal Energy Regulatory Commission (Commission)\nImprovements          continued to make progress in enhancing its unclassified cyber\n                      security program and addressing previously identified cyber\n                      security issues. Specifically, we noted that corrective actions\n                      had been taken to address each of the four weaknesses\n                      identified during the Fiscal Year (FY) 2009 review. In\n                      particular, the Commission:\n\n                             Had taken action to remediate previously identified\n                             access control weaknesses in the areas of account\n                             modification monitoring and network account\n                             management;\n\n                             Enhanced its policies and procedures related to\n                             protection of sensitive information and ensured that\n                             sensitive information was encrypted when in transit;\n                             and,\n\n                             Made improvements to its plan of action and milestones\n                             database containing weaknesses identified during\n                             security control testing, to include increased specificity\n                             to help manage the cyber security program.\n\nRisk Management and   Despite improvements in the management of its unclassified\nSecurity Controls     cyber security program, additional action is needed to further\n                      reduce the risk of compromise to the Commission\'s\n                      information systems and data. In particular, we identified\n                      weaknesses in the area of vulnerability management.\n\n                                        Vulnerability Management\n\n                      While the Commission had identified various vulnerabilities\n                      during the performance of regularly scheduled scans of\n                      networks, workstations and web applications, officials had not\n                      ensured that all workstations were patched in a timely manner.\n                      Specifically, our performance testing identified 7 commercial\n                      off-the-shelf (COTS) software products utilized by the\n                      Commission that contained more than 600 vulnerabilities on 28\n                      workstations. Of the vulnerabilities identified, we noted that\n                      445 (73 percent) were rated "high risk" by the National\n                      Vulnerability Database sponsored by the Department of\n                      Homeland Security\'s National Cyber Security Division/US-\n                      CERT. In addition, 59 of the "high risk" vulnerabilities were\n                      more than 2 years old. The vulnerabilities were primarily\n                      associated with third-party productivity and internet\n\nPage 1                                                             Details of Finding\n\x0c                        applications. Officials noted that they had initiated installation\n                        of version upgrades to certain software products that could\n                        eliminate many of the identified vulnerabilities. In addition,\n                        our testing did not reveal any actual exploits of the\n                        vulnerabilities identified.\n\n                        Furthermore, even though the Commission had established the\n                        Vulnerability Tracking Tool (VTT) to track scanning-related\n                        weaknesses identified as part of its continuous monitoring\n                        program, all known vulnerabilities were not included in the\n                        application. Specifically, only 43 of 445 (10 percent) "high\n                        risk" vulnerabilities identified during our performance testing\n                        were tracked in the VTT. In addition, a number of the\n                        vulnerabilities identified were input into the VTT only after we\n                        brought them to management\'s attention. We did note that one\n                        item included in the VTT related to a specific application that\n                        included various individual vulnerabilities. While we could\n                        not confirm how many vulnerabilities this item covered, it is\n                        likely that the percentage of weaknesses being tracked is\n                        actually higher. The table below summarizes the number of\n                        vulnerabilities identified and tracked in the VTT.\n\n                                         Total         High Risk                Tracked\n                         Application Vulnerabilities Vulnerabilities            in VTT\n                          COTS - 1        110              93                      13\n                          COTS - 2        100              86                      12\n                          COTS - 3         58              47                       8\n                          COTS - 4         53              46                      10\n                          COTS - 5        159              93                       0\n                          COTS - 6         37              25                       0\n                          COTS - 7         92              55                       0\n                           Total          609             445                      43\n\n                        Tracking all known vulnerabilities in the VTT could help\n                        ensure that they receive the appropriate level of management\n                        attention.\n\nCyber Security Policy   The problems we identified with the Commission\'s unclassified\nImplementation          cyber security program were due, in part, to a less than fully\n                        effective implementation of policies and procedures. In\n                        particular, contrary to established Commission policies related\n                        to vulnerability tracking and risk acceptance, we identified that\n                        officials had not formally accepted the risks associated with not\n                        addressing known software vulnerabilities. Specifically, cyber\n                        security officials stated that they had accepted the risks\n                        associated with vulnerabilities identified during our review\n\n\nPage 2                                                                Details of Finding\n\x0c                     and, therefore, did not need to track the weaknesses. However,\n                     they were unable to provide documentation to support this\n                     assertion. Officials also noted that not all workstations could\n                     be patched because the software was no longer supported by\n                     the manufacturer. Per the Commission\'s Vulnerability\n                     Management Program Standard Operating Procedure,\n                     completion of a waiver was required in situations where these\n                     risks were being accepted. In addition, as noted by the\n                     National Institute of Standards and Technology, establishing an\n                     appropriate mechanism for tracking known security\n                     weaknesses can aid in ensuring that they are effectively\n                     remediated in a timely manner. In preliminary comments on\n                     our audit findings, officials noted that they were aware of the\n                     need to better document accepted risks and agreed to take\n                     necessary corrective actions.\n\nRisk to Commission   While the Commission made progress in improving its cyber\nSystems and          security posture over the past year, the risk to the agency\'s\nInformation          information systems and data remained higher than necessary.\n                     Specifically, failure to correct identified "high risk"\n                     weaknesses in a timely manner could increase the risk of\n                     exploitation of known security weaknesses, thereby\n                     compromising the Commission\'s systems. Without\n                     improvements in the implementation of vulnerability\n                     management policies and procedures, management\'s ability to\n                     adequately track all known security weaknesses could hinder\n                     timely remediation efforts.\n\nRECOMMENDATION       To correct the weaknesses identified in this report and improve\n                     the effectiveness of the Commission\'s cyber security program,\n                     we recommend that the Executive Director, Federal Energy\n                     Regulatory Commission, take action to ensure that procedures\n                     related to vulnerability management are fully implemented in a\n                     timely manner, to include documenting the acceptance of risk,\n                     as appropriate.\n\nMANAGEMENT           Management concurred with the report\'s recommendation and\nREACTION             commented that it had initiated actions to address weaknesses\n                     identified during our evaluation. In particular, management\n                     commented that the Commission was in the process of\n                     reviewing and revising its VTT and remediating the\n                     vulnerabilities identified during our review.\n\nAUDITOR COMMENTS     Management\'s comments were responsive to our\n                     recommendation. Management\'s comments are included in\n                     their entirety in Appendix 4.\n\n\n\nPage 3                                         Recommendation and Comments\n\x0cAppendix 1\n\n                      OTHER MATTERS FOR CONSIDERATION\n\nIn addition to the weaknesses discussed in this report related to the Federal Energy\nRegulatory Commission\'s (Commission) unclassified cyber security program, we identified a\nseparate area for consideration. Specifically, we noted that the Commission\'s information\ntechnology (IT) hardware inventory was not accurate or complete. For instance, we found\nthat 11 items sampled had been excessed, but still remained on the inventory listing in the\nSunflower system. In some instances, these items remained in the system for up to two years\nafter being sent to the General Services Administration for reuse. We also identified an\ninstance where the Commission had not included all servers within the Sunflower system.\nRather, officials only tracked the casing that contained the servers. Furthermore, we\nidentified one instance where a laptop had been incorrectly categorized as general hardware\nwithin Sunflower.\n\nThese issues occurred because the Commission had not adhered to its established procedures\nfor inventory management. Specifically, the Commission\'s Property Management Standard\nOperating Procedures required that the asset management system be updated within one\nbusiness day of property being transferred. However, as noted above, we identified\ninventory that still remained in the system even though it had been removed from the site\napproximately 2 years prior to our review. In addition, while Commission representatives\nstated that an annual inventory of all hardware had been conducted as a compensating control\nto offset the lack of a complete IT listing, these controls did not ensure that officials would be\nable to effectively identify whether inventory had been lost or stolen.\n\nSUGGESTION FOR IMPROVEMENT\n\nTo correct the weaknesses identified, we suggest that the Executive Director, Federal Energy\nRegulatory Commission, take action, as appropriate to ensure that the Commission\'s Property\nManagement procedures are fully implemented, to include timely reporting of inventory\nactions.\n\n\n\n\nPage 4                                                       Other Matters for Consideration\n\x0cAppendix 2\n\nOBJECTIVE     To determine whether the Federal Energy Regulatory\n              Commission\'s (Commission) unclassified cyber security\n              program adequately protected data and information systems.\n\nSCOPE         The audit was performed between June 2010 and September\n              2010, at the Commission\'s Headquarters in Washington, DC.\n              Specifically, we performed an assessment of the Commission\'s\n              unclassified cyber security program. The evaluation included a\n              review of general and application controls in areas such as\n              certification and accreditation, security configuration\n              management, incident response and reporting, and plans of\n              action and milestones. Our work did not include a\n              determination of whether vulnerabilities found were actually\n              exploited and used to circumvent existing controls.\n\nMETHODOLOGY   To accomplish our objective, we:\n\n                       Reviewed Federal laws and regulations related to\n                       controls over information technology (IT) security\n                       such as the Federal Information Security\n                       Management Act of 2002, Office of Management and\n                       Budget Memoranda, and National Institute of\n                       Standards and Technology standards and guidance;\n\n                       Reviewed the Commission\'s overall cyber security\n                       program, including policies, procedures and practices;\n\n                       Held discussions with officials from the Commission\n                       and reviewed relevant documentation;\n\n                       Evaluated the Commission in conjunction with its\n                       annual audit of the Financial Statements, utilizing\n                       work performed by KPMG LLP (KPMG), the Office\n                       of Inspector General\'s (OIG) contract auditor. OIG\n                       and KPMG work included analysis and testing of\n                       general and application controls for the network and\n                       systems and review of the network configuration;\n                       and,\n\n                       Reviewed prior reports issued by the OIG and the\n                       Government Accountability Office.\n\n              We conducted this audit in accordance with generally accepted\n              Government auditing standards. Those standards require that\n              we plan and perform the audit to obtain sufficient, appropriate\n              evidence to provide a reasonable basis for our findings and\n\n\nPage 5                                Objective, Scope, and Methodology\n\x0cAppendix 2 (continued)\n\n                    conclusions based on our audit objectives. We believe that the\n                    evidence obtained provides a reasonable basis for our findings\n                    and conclusions based on our audit objectives. Accordingly,\n                    we assessed significant internal controls and the Commission\'s\n                    implementation of the Government Performance and Results\n                    Act of 1993 and determined that it had established performance\n                    measures for its information and cyber security program.\n                    Because our evaluation was limited, it would not have\n                    necessarily disclosed all internal control deficiencies that may\n                    have existed at the time of our evaluation. We did not solely\n                    rely on computer-processed data to satisfy our objective.\n                    However, computer assisted audit tools were used to perform\n                    probes of various networks and drives. We validated the\n                    results of the scans by confirming the weaknesses disclosed\n                    with responsible on-site personnel and performed other\n                    procedures to satisfy ourselves as to the reliability and\n                    competence of the data produced by the tests. In addition, we\n                    confirmed the validity of other data, when appropriate, by\n                    reviewing supporting source documents.\n\n                    An exit conference was waived by Commission officials.\n\n\n\n\nPage 6                                      Objective, Scope, and Methodology\n\x0cAppendix 3\n\n                                 RELATED REPORTS\n\nOffice of Inspector General Reports\n\n      The Federal Energy Regulatory Commission\'s Unclassified Cyber Security Program -\n      2009 (DOE/IG-0830, October 2009). The Federal Energy Regulatory Commission\n      (Commission) had taken steps to improve its cyber security program based on the\n      deficiencies identified during the Fiscal Year 2008 review. However, additional\n      actions were necessary to help ensure the Commission\'s network, systems and data\n      are adequately protected against increasingly sophisticated cyber security attacks.\n      These problems occurred, at least in part, because the Commission had not developed\n      policies and procedures to address all Federal requirements pertaining to information\n      security. In addition, the audit team discovered that officials had not always\n      effectively implemented existing policy and/or corrected previously observed\n      weaknesses. It was also noted that the Commission\'s plan of action and milestones\n      process for addressing cyber security weaknesses did not include all information\n      necessary to ensure effectiveness. Absent improvement, the risk to the agency\'s\n      information systems and data remains higher than necessary.\n\n      The Federal Energy Regulatory Commission\'s Unclassified Cyber Security Program -\n      2008 (DOE/IG-0802, September 2008). The Commission had taken action to\n      improve cyber security practices and implemented protective measures designed to\n      defend its networks against malicious attackers and other external threats. Our\n      evaluation, however, disclosed that additional actions are needed to reduce the risk of\n      compromise to the Commission\'s business information systems and data to an\n      acceptable level. These problems existed because the Commission had not fully\n      developed or implemented all current Federal cyber security requirements. In\n      response to our inquiries, management stated that due to the recent departure of a\n      large number of information technology staff, insufficient attention had been given to\n      ensuring that existing policies and procedures were implemented. We made several\n      recommendations designed to assist in achieving this goal.\n\n      The Federal Energy Regulatory Commission\'s Cyber Security Program - 2007\n      (OAS-L-07-23, September 2007). Overall, we continued to note improvements in the\n      Commission\'s cyber security program. During our evaluation, we found that a major\n      financial processing system had underwent a significant software upgrade in 2005,\n      but the system had not been recertified and reaccredited for operation. Because of the\n      nature of the software upgrade, significant changes occurred both in the manner in\n      which data was processed and how it was transmitted \xe2\x80\x93 a situation that could have\n      potentially introduced security vulnerabilities or increased the risk associated with\n      system upgrade. Commission officials provided evidence that they started a\n      comprehensive recertification process in January 2007 and had completed a number\n      of important parts of the effort. Since corrective actions were well underway, we did\n      not make any recommendations. However, we suggested that the Executive Director\n      ensure that the ongoing risk assessment and re-certification of the system fully\n      consider the risk posed by the software upgrade and modify system controls, if\n      necessary.\n\n\nPage 7                                                                    Related Reports\n\x0cAppendix 4\n\n\n\n\nPage 8       Management Comments\n\x0c                                                             IG Report No. OAS-M-11-01\n\n                       CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of\nits products. We wish to make our reports as responsive as possible to our customers\'\nrequirements, and, therefore, ask that you consider sharing your thoughts with us. On the\nback of this form, you may suggest improvements to enhance the effectiveness of future\nreports. Please include answers to the following questions if they are applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or\n   procedures of the inspection would have been helpful to the reader in understanding\n   this report?\n\n2. What additional information related to findings and recommendations could have\n   been included in the report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\'s\n   overall message more clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the\n   issues discussed in this report which would have been helpful?\n\n5. Please include your name and telephone number so that we may contact you should\n   we have any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\nWhen you have completed this form, you may telefax it to the Office of Inspector\nGeneral at (202) 586-0948, or you may mail it to:\n\n                           Office of Inspector General (IG-1)\n                                 Department of Energy\n                                Washington, DC 20585\n\n                              ATTN: Customer Relations\n\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact Felicia Jones at (202) 253-2162.\n\x0cThis page intentionally left blank.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly\nand cost effective as possible. Therefore, this report will be available electronically through the\n                                Internet at the following address:\n\n              U.S. Department of Energy Office of Inspector General Home Page\n                                  http://www.ig.energy.gov\n\n  Your comments would be appreciated and can be provided on the Customer Response Form.\n\x0c'